[News Space=Reporter seungwon lee] The unauthorized leak of personal information from 33.7 million customer accounts at Coupang, South Korea's largest e-commerce company, is being assessed as the worst data protection crisis in Korean history. The data leak, which included names, phone numbers, email addresses, addresses, and even some order history, is leading analysts to conclude that "three out of four adults were affected," and is fueling calls for accountability from Coupang Chairman Kim Beom-seok, the company's de facto owner and majority shareholder.
A disaster of unprecedented scale, content, and timing.
Coupang initially reported approximately 4,500 affected accounts when reporting to authorities around November 18th, but revised the number to 33.7 million just 11 days later. Considering that Coupang's product commerce division had approximately 24.7 million active customers as of Q3 this year, industry sources believe that virtually all customer information was exposed. The leaked information included names, mobile phone numbers, email addresses, shipping addresses, and some order history, all of which are sensitive and directly linked to phishing, smishing, personalized fraud, and stalking. However, Coupang and authorities explain that payment information, card numbers, and login passwords were not included.
This unauthorized access is believed to have occurred via overseas servers (IP) starting on June 24, 2025, and Coupang failed to detect it for nearly five months before recognizing the leak on November 18. The problem is that even this recognition was not voluntary monitoring, but the result of an internal investigation launched only after a customer inquired on November 16, saying, “An unknown email sender knows my name, address, and five recent orders.” As media reports have revealed, criticism is spreading beyond “security failure” to “lack of monitoring” and “lack of response.”
Controversy surrounding Chinese former employees, overseas IP, and individual vs. organized crime
The current scenario, as understood by the police and government, is that a Chinese national, presumed to be a former Coupang development and operations employee, left the company, went overseas, and then accessed Coupang's main database unauthorized through an overseas server. While the investigation is still in its early stages, the attempted access and export of a massive database, at the scale of the entire database, makes it difficult to rule out the possibility of collusion with a mastermind organization, broker, or professional hacker, rather than a solo act, according to investigative and security experts.
Information security experts are placing more emphasis on the possibility of a "combined crime involving insiders and external hackers" rather than simple "advanced hacking," citing the possibility that internal personnel with full database access might have colluded with hackers during the actual external export process to attempt to sell the data to competitors or data brokers.
Coupang has described this incident in its notices and explanations as "unauthorized access," insisting that no high-level network intrusion or backdoor attack in the traditional sense has been confirmed. Consequently, the industry is now grappling with the following key issues: whether this incident was an "absurd security failure" in which internal privileges were leaked and then accessed via an overseas IP address; whether it was a "systemic risk" due to structural weaknesses in the company's internal network and access controls; and whether basic controls such as authorization management, log monitoring, and overseas IP blocking were effectively ineffective.
Coupang claims it didn't know for five months... 86.1 billion won in security investment is meaningless.
Coupang has publicly announced that it invested approximately 86.1 billion won in information security through 2024 and has promoted itself as a "tech company." However, the company is facing criticism for failing to implement even basic security measures, log analysis, and anomaly detection, following revelations that unauthorized overseas IP access and large-scale data retrieval and export attempts, which began on June 24th, went undetected for 147 days and were only discovered belatedly through customer reports.
In particular, since overseas IP source blocking for sensitive data servers, detection of mass queries and dumps, and monitoring of administrator accounts are considered "basic among the basics" in global big tech, Coupang's "poor security governance" is pointed out as the structural cause of this incident.
The Personal Information Protection Commission, the Ministry of Science and ICT, and the police have launched a joint inspection and investigation. Depending on the extent of the damage and the extent of intent or gross negligence, multiple sanctions, including fines, criminal penalties, and class action lawsuits, are anticipated. Already, online communities and consumer groups are raising concerns, asking, "Is notification the end all there is to it?" Furthermore, preparations for class action lawsuits, with claims potentially worth hundreds of billions of won, are gaining traction.
Why is Kim Beom-seok's responsibility soaring?
While the official apology was issued under the name of Coupang CEO Park Dae-joon, public opinion is growing both domestically and internationally that Bom Suk Kim, Chairman of Coupang Inc., the de facto owner and ultimate decision-maker within Coupang's management structure, should step forward. While Coupang has maintained the practice of having the CEO of its Korean subsidiary issue public apologies, the scale of this leak, encompassing the vast majority of the Korean population, and the potential for it to escalate into a significant ESG and governance risk for US and global investors, are prompting criticism from shareholders, politicians, and civic groups.
In particular, as media reports have revealed that Coupang has been working hard to lobby and respond to regulations by recruiting a number of people from the National Assembly and government in recent years, the battle over “owner responsibility” is intensifying along with criticism that “while they put a lot of effort into defending against regulations, they were actually negligent in internal control and security.”
Some political circles and civic groups argue that "Chairman Kim Beom-seok, who sits at the pinnacle of the actual governance structure, must issue an official apology at the level of a public press conference, present a roadmap to prevent recurrence, and clarify the principles of compensation for damages to begin restoring trust," and are demanding a direct response from the highest authority, going beyond a simple apology from the CEO.
Rep. Na Kyung-won: "Formally request the Chinese government to arrest and extradite him."
The political offensive is also intensifying. People Power Party lawmaker Na Kyung-won reportedly took aim at President Lee Jae-myung and the government on social media, saying, "Immediately and officially demand that the Chinese government arrest and repatriate all former Chinese Coupang employees who fled to China."
Rep. Na characterized the leak of 33.7 million people's personal information as a "personal information disaster of all time," surpassing even the Cyworld and SK Telecom incidents. He also argued that given the Chinese authorities' investigative and control capabilities, it would be possible to locate and secure suspects in a short period of time if there were the will, raising the issue of diplomatic and judicial cooperation between South Korea and China.
The government has already announced plans to form a public-private joint investigation team, separate from the police investigation, and to strengthen monitoring of the illegal distribution of personal information over the next three months, emphasizing the need to "prevent secondary damage." However, some in the political arena are threatening to question whether there will be a formal request for the arrest and extradition of the Chinese government, and the role of the Ministry of Foreign Affairs. This suggests that this incident is expanding beyond a simple corporate security incident, potentially posing a threat to diplomacy, public safety, cybersecurity, and national image.
Domestic and international regulatory and litigation risks… Coupang's scenarios ahead.
In Korea, violations of the Personal Information Protection Act can result in simultaneous fines, penalties, criminal liability, and damages. Given the recent trend of class action lawsuits involving personal information, there are cautious predictions that the total amount of damages Coupang will have to pay could swell to hundreds of billions of won or more. In particular, the five-month failure to detect the incident, the suspicion of initial underestimation of the extent of the damage, the possibility of insider activity, and the delayed recognition after a customer report are expected to be key factors for regulatory authorities in determining whether there was "intentional or gross negligence."
As a NYSE-listed company, this incident could become a reporting and disclosure issue for both foreign investors and US regulators. Global ESG rating agencies already incorporate data protection and cybersecurity as key indicators, so Coupang's reputational risk could directly impact its future capital raising costs and corporate value.
Foreign and English-language reports repeatedly claim, "33.7 million customer accounts exposed" and "breach went undetected for five months," raising fundamental questions about Coupang's technological and security capabilities and governance.
Consumers demand secondary damage and practical measures.
Already, testimonies are appearing on various online communities and social media platforms, claiming, "There's been an increase in smishing text messages and phone calls that even access my recent order history." Victims are quickly forming groups to create online community forums and chat rooms to respond. Experts warn, "Data combined with phone numbers, addresses, and even specific purchase histories can be exploited for phishing, voice phishing, stalking, targeted financial fraud, and spear phishing attacks targeting businesses. Therefore, a mid- to long-term monitoring and support system is needed that goes beyond simple password changes."
Accordingly, civic groups and some members of the National Assembly are calling for follow-up legislation and policy measures, such as ▲providing free credit and identity theft monitoring services to victims, ▲establishing principles for practical compensation in the event of phishing and fraud damage, ▲cooperating between the government and global platforms to delete and block leaked information, and ▲strengthening the obligation and timing of personal information leak notifications.
Amid criticism that simple guidance emails and warnings alone are "insufficient to alleviate public anxiety," pressure is mounting for Coupang to establish a program to prevent and mitigate actual damage using its own resources.
"This time, it's not about technology or marketing, but ownership and governance."
Industry insiders and investors are viewing this situation as "the biggest crisis since Coupang's founding and a true test for the Kim Beom-seok administration." This incident starkly reveals how seriously Coupang, which has grown through fast delivery and aggressive investment, has built its "invisible infrastructure" of security, internal controls, governance, and social responsibility.
The core issues boil down to two: first, what level of technological, organizational, and process improvements, as well as compensation and indemnification packages, will Coupang offer? Second, will Chairman Kim Beom-seok, the de facto owner, personally step forward to offer a public apology and a persuasive mid- to long-term roadmap to prevent recurrence?
Depending on the company's future response, this "hacking disaster involving 33.7 million people" could either result in a permanent collapse of trust in Coupang or serve as a catalyst for raising data protection standards across Korea's big tech sector. Therefore, the market and the public are simultaneously focused on Coupang and Kim Beom-seok.
